-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On Wed, Jun 05, 2024 at 06:33:42PM +0200, Ben Grande wrote:
> Hello qubes-devel,
>
> Is it worth it looking into improving QubesOS NFTables rule matching
> speed? In order of speed: `if` > `ifgroup` > `ifname` (output and
> input). Qubes uses a mix of them. Should work regarding changing the
> rules to have a faster matching be worth it?
>
> Some rules matching 'iifname "vif*"' could be changed to 'iifgroup 2'.
>
> Rules of a netvm:
>
> $ sudo nft -s list ruleset | grep iif
>
> iifgroup 2 goto antispoof
> iifname . ip saddr @allowed accept
> iifgroup 2 udp dport 68 counter drop
> iifgroup 2 meta l4proto icmp accept
> iif "lo" accept
> iifgroup 2 counter reject with icmp host-prohibited
> iifname . ip6 saddr @allowed accept
> iifgroup 2 goto antispoof
> iifgroup 2 goto _icmpv6
> iif "lo" accept
> iifname != "vif*" accept
> iifname != "vif*" ip saddr { 10.137.0.67, 10.137.0.90, 10.138.35.169, 10.138.38.234 } drop
> iifname != "vif*" accept
> meta l4proto { tcp, udp } iifgroup 2 oifgroup 1 flow add @qubes-accel
Take a look at the "Firewall antispoofing in ingress hook" thread, it
goes even further for some parts.
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAmZglAYACgkQ24/THMrX
1yzlSQf/aQc8SkF4Ijy3Jz300HNdMvQbmKufzh4qSokRKWbySRJgVOtDWhMNMDCG
h8QMExbgLJm8/sUIJvmhjACCyTsV76UGbpgA8RST7gxXTrK+7yJTZ8rCuUNhZXpU
+VFHRZun/agBMK/WiVW8IrksBz80oQ48XGU/IexQaLCS9meQrm+ydEn0E72hHA3u
osNxwKZoLjDkq7An+a74er/vgCdKFRp7rQWupsq7gPyI+eBa3CMMumMlSZSHSDhB
T1pd5ykzTIREZUO7GBQ+rZPjgSlBU1EaQm2UNlXKVSukBtQqzj6U8pp01ebFs/PH
p92Lj179p2jB3Z+XDEodhtsyiUekxw==
=SyDH
-----END PGP SIGNATURE-----